CVE-2026-4208
Received Received - Intake
MFA Bypass in Extension Due to Improper Code Reset

Publication date: 2026-03-17

Last updated on: 2026-04-25

Assigner: TYPO3

Description
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4208
EUVD
EUVD-2026-12554
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mrsilaz mfa_mail to 1.0.7 (exc)
mrsilaz mfa_mail 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The TYPO3 extension "E-Mail MFA Provider" (mfa_email), version 2.0.0 and below, has a vulnerability where it fails to properly reset the generated MFA code after a successful authentication.'}, {'type': 'paragraph', 'content': 'This flaw allows an attacker to bypass multi-factor authentication (MFA) on future login attempts by submitting an empty string as the MFA code to the extension’s MFA provider.'}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable only if the "E-Mail MFA Provider" is not the default MFA provider and the user has at least one other MFA provider enabled.'}] [1]

Impact Analysis

This vulnerability can lead to a high-severity security risk by allowing attackers to bypass MFA protections on affected TYPO3 installations.

An attacker could gain unauthorized access to user accounts by submitting an empty MFA code, potentially compromising sensitive data and system integrity.

Since MFA is a critical security control, bypassing it weakens the overall authentication process and increases the risk of account takeover.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, users are advised to uninstall and delete the vulnerable TYPO3 extension "E-Mail MFA Provider" (mfa_email) versions 2.0.0 and below.'}, {'type': 'paragraph', 'content': 'Since the extension author did not provide a timely security fix, it is recommended to seek alternative MFA extensions from the TYPO3 Extension Repository.'}, {'type': 'paragraph', 'content': 'Additionally, users should follow the TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for updates.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart